We have imporved the extension enumeration in Keystone. If you got to
http://hostname:35357/v3 you should see a listing of the extensions that
are enabled for that Keystone server
On 10/08/2013 07:07 PM, Miller, Mark M (EB SW Cloud - R&D - Corvallis)
wrote:
Sorry to send this out again, but I wrote too soon. I was missing one driver
entry in keystone.conf. Here are my working settings:
File keystone.conf:
[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
#driver = keystone.catalog.backends.sql.Catalog
driver =
keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog
# static, file-based backend (does *NOT* support any management commands)
# driver = keystone.catalog.backends.templated.TemplatedCatalog
template_file = default_catalog.templates
[endpoint_filter]
# extension for creating associations between project and endpoints in order to
# provide a tailored catalog for project-scoped token requests.
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
return_all_endpoints_if_no_filter = False
File keystone-paste.ini:
[filter:endpoint_filter_extension]
paste.filter_factory =
keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
and
[pipeline:api_v3]
pipeline = access_log sizelimit url_normalize token_auth admin_token_auth
xml_body json_body ec2_extension s3_extension oauth1_extension
endpoint_filter_extension service_v3
Updated Installation instructions:
To enable the endpoint filter extension:
1. Add the new filter driver to the catalog section to "keystone.conf".
Example:
[catalog]
driver =
keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCatalog
2. Add the new [endpoint_filter] section to ``keystone.conf``.
Example:
[endpoint_filter]
# extension for creating associations between project and endpoints in order
to # provide a tailored catalog for project-scoped token requests.
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# return_all_endpoints_if_no_filter = True
optional: uncomment and set ``return_all_endpoints_if_no_filter``
3. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in
``keystone-paste.ini``.
Example:
[filter:endpoint_filter_extension]
paste.filter_factory =
keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
[pipeline:api_v3]
pipeline = access_log sizelimit url_normalize token_auth admin_token_auth
xml_body json_body ec2_extension s3_extension endpoint_filter_extension
service_v3
4. Create the endpoint filter extension tables if using the provided sql
backend.
Example::
./bin/keystone-manage db_sync --extension endpoint_filter
5. Once you have done the changes restart the keystone-server to apply the
changes.
-----Original Message-----
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Tuesday, October 08, 2013 1:51 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
Slightly adjusted instructions after testing:
To enable the endpoint filter extension:
1. Add the new [endpoin_ filter] section ton ``keystone.conf``.
example:
[endpoint_filter]
# extension for creating associations between project and endpoints in order
to # provide a tailored catalog for project-scoped token requests.
driver = keystone.contrib.endpoint_filter.backends.sql.EndpointFilter
# return_all_endpoints_if_no_filter = True
optional: change ``return_all_endpoints_if_no_filter`` the
``[endpoint_filter]`` section
2. Add the ``endpoint_filter_extension`` filter to the ``api_v3`` pipeline in
``keystone-paste.ini``.
example:
[filter:endpoint_filter_extension]
paste.filter_factory =
keystone.contrib.endpoint_filter.routers:EndpointFilterExtension.factory
[pipeline:api_v3]
pipeline = access_log sizelimit url_normalize token_auth admin_token_auth
xml_body json_body ec2_extension s3_extension
endpoint_filter_extension service_v3
3. Create the endpoint filter extension tables if using the provided sql
backend. example::
./bin/keystone-manage db_sync --extension endpoint_filter
4. Once you have done the changes restart the keystone-server to apply the
changes.
-----Original Message-----
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Tuesday, October 08, 2013 1:30 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Keystone OS-EP-FILTER descrepancy
Here is the response from Fabio:
Mark,
Please have a look at the configuration.rst in the
contrib/endpoint-filter folder.
I pasted here for your convenience:
==================================
Enabling Endpoint Filter Extension
==================================To enable the endpoint filter
extension:
1. add the endpoint filter extension catalog driver to the ``[catalog]``
section
in ``keystone.conf``. example::
[catalog]
driver =
keystone.contrib.endpoint_filter.backends.catalog_sql.EndpointFilterCa
talog 2. add the ``endpoint_filter_extension`` filter to the
``api_v3`` pipeline in
``keystone-paste.ini``. example::
[pipeline:api_v3]
pipeline = access_log sizelimit url_normalize token_auth
admin_token_auth xml_body json_body ec2_extension s3_extension
endpoint_filter_extension service_v3 3. create the endpoint filter
extension tables if using the provided sql backend. example::
./bin/keystone-manage db_sync --extension endpoint_filter 4. optional:
change ``return_all_endpoints_if_no_filter`` the ``[endpoint_filter]``
section
in ``keystone.conf`` to return an empty catalog if no associations are
made.
example::
[endpoint_filter]
return_all_endpoints_if_no_filter = False
Steps 1-3 are mandatory. Once you have done the changes restart the
keystone-server to apply the changes.
The /v3/auth/tokens?nocatalog is to remove the catalog from the token
creation.
It is different from the filtering because it won't return any
endpoint in the service catalog. The endpoint filter will return only
the ones that you have associated with a particular project.
Please bear in mind that this works only with scoped token (meaning
where you pass a project id).
-----Original Message-----
From: Miller, Mark M (EB SW Cloud - R&D - Corvallis)
Sent: Tuesday, October 08, 2013 1:21 PM
To: OpenStack Development Mailing List
Subject: [openstack-dev] Keystone OS-EP-FILTER descrepancy
Hello,
I am attempting to test the Havana v3 OS-EP-FILTER extension with
the latest RC1 bits and I get a 404 error response.
The documentation actually shows 2 different URIs for this API:
- GET /OS-EP-FILTER/projects/{project_id}/endpoints and
http://identity:35357/v3/OS-FILTER/projects/{project_id}/endpoints
I have tried both "OS-EP-FILTER" and "OS-FILTER" with the same result.
Does anyone have information as to what I am missing?
Regards,
Mark Miller
-------------
From the online documentation:
List Associations for Project: GET /OS-EP-
FILTER/projects/{project_id}/endpoints
Returns all the endpoints that are currently associated with a
specific
project.
Response:
Status: 200 OK
{
"endpoints":
[
{
"id": "--endpoint-id--",
"interface": "public",
"url": "http://identity:35357/";,
"region": "north",
"links": {
"self": "http://identity:35357/v3/endpoints/--endpoint-id--";
},
"service_id": "--service-id--"
},
{
"id": "--endpoint-id--",
"interface": "internal",
"region": "south",
"url": "http://identity:35357/";,
"links": {
"self": "http://identity:35357/v3/endpoints/--endpoint-id--";
},
"service_id": "--service-id--"
}
],
"links": {
"self": "http://identity:35357/v3/OS-
FILTER/projects/{project_id}/endpoints",
"previous": null,
"next": null
}
}
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
